Industry among most targeted by attackers

By making a significant investment in cybersecurity, West Michigan manufacturers can avoid having their sensitive information getting into the wrong hands.

Just ask Jessica Dore, a principal in technology risk management in Grand Rapids at accounting and consulting firm Rehmann LLC. Dore works on the firm’s Corporate Investigative Services unit that performs cybersecurity assessments and vulnerability and penetration tests for clients in manufacturing, as well as banking, higher education and other sectors.

According to Dore, hackers are trying to “exploit vulnerabilities” by getting into various systems of sensitive data. Big data breaches oftentimes result from “individuals wanting to get access to financial systems” to transfer money out, which they achieve via phishing emails or “through other means of social engineering,” Dore said.

However, advanced manufacturing companies face cyber risks beyond compromised bank accounts. Although they are often heralded for streamlining production and improving efficiency, connected devices on the shop floor are prime targets to be compromised, including in ways not immediately noticeable, according to industry experts.

For example, Forbes reported last year that researchers had identified vulnerabilities in popular industrial robots that allowed them to be controlled remotely, setting up manufacturers for “significant” if not “catastrophic” threats.

“If an entire factory’s output is wasted because robots had been secretly tweaked to produce faulty goods, millions could be lost. Worse, parts for planes or cars could be changed as to become dangerous if put out into the real world,” according to the report.

That’s why West Michigan manufacturers are making “significant investments” in cybersecurity, said Tim Mroz, vice president of marketing and communications at The Right Place Inc.

However, the level of investment depends on the individual business, he said.

“Some businesses have chosen to invest internally in their I.T. teams, in hardware, software, human resources (and) internally to have that management on site,” Mroz said. “Others have chosen to work through consultants, to work through other experts in the industry outside and contract that work. One is not right, one is not wrong. There’s just two very different ways to approach it.”

Many West Michigan manufacturers receive confidential information from customers that they need to protect. That can include drawings, contracts, patents or other “sensitive material information.”

Because of this, manufacturers such as the Grand Rapids-based Medbio Inc., the Cascadebased ADAC Automotive and the Walker-based Plasan North America Inc. are investing and “adopting stronger cybersecurity protocols mainly because of security compliance reasons,” Mroz said.

“Many of our manufacturers may have defense or government contracts and now they need a cybersecurity protocol, they need to be certified in order to maintain those contracts,” Mroz said.

He added that highly valuable intellectual property needs to be protected because those platform innovations “will continue to have iterative improvement made to them in subsequent years.”

“There are certain fundamental platforms, innovations on certain automotive platforms, defense platforms, that will stay and will continue to be built upon over the next five to ten years,” Mroz said. Compromising that foundational innovation may put at risk those “iterative product developments.”

“I think with companies and manufacturers, if they have a new prototype that they make and they don’t want so-and-so to see what they’re working on, then (it’s) important to invest in cybersecurity,” she said.

INNOVATION TRUMPS IP THEFT?

However, some manufacturing executives say the pace of innovation and the rise of technology makes protecting trade secrets less important these days.

Travis Randolph, the president of Zeelandbased Symbiote Inc., a designer and engineer of laboratory furniture for life sciences, aerospace/ defense and high-tech R&D environments, said contract furniture companies pay close attention to protecting their designs from being ripped off by Chinese companies. That’s why so many companies will manufacture overseas but keep their R&D operations at the home office, he said.

“High-tech manufacturing of course is what’s being done in China, but the high-tech R&D will never be done outside the U.S. It’s the only way you protect your intellectual property,” Randolph told MiBiz in a recent interview.

Still, he cites Moore’s Law, which describes the rapid pace of advancement in technology, as one reason why some manufacturers worry less about protecting intellectual property and care more about continuing to innovate.

If they keep innovating, it won’t matter if someone steals the intellectual property because it will be obsolete as soon as the company introduces its newest iteration anyway, Randolph said.

“Moore’s Law applies to everything in the technology business nowadays, so that you really don’t care if they steal the I.P.,” he said. “Well, you do care, but it’s not as damaging as it could be if they steal the I.P. of your existing product because that’s being replaced by the new product that you’ll be introducing in three months. And the faster the acceleration, the less significant the I.P. theft is.”

DATA BREACHES ON THE RISE

According to Dore at Rehmann, West Michigan manufacturers need to better understand the threats they could face, rather than become another victim. The place to start, she said, is by protecting their finances from being compromised.

“The majority of businesses are doing most of their banking online,” Dore said. “What the hackers want to do is to be able to get into … manufacturers’ online banking platform.

“We’re constantly working on projects with our clients to test their cybersecurity efforts and then give them recommendations on how to improve their cybersecurity controls.”

Data breaches have become a large issue for employers today, said Dore, noting the number of breaches continues to rise. According to the Identity Theft Resource Center, breaches nationwide reached a record high of 1,579 in 2017, up 44.7 percent from the previous year.

“I started 13 years ago with the firm. It’s something that’s been increasing every year since I started,” Dore said. “With all the attacks that are happening out there today, cybersecurity is a huge topic for all of our clients that we have at the firm.”

To combat breaches, Rehmann offers clients firewall protection, intrusion detection and prevention systems, which Dore said prevents and detects malicious software and traffic. The team also analyzes when to shut off those attacks.

She said the process can be costly, depending on the software implemented, but is still a crucial step for businesses.

GETTING READY

The authors of the most recent IBM X-Force Threat Intelligence Index called manufacturing the third most-targeted industry for cyber attacks last year.

In 2017, manufacturers had 13 percent of the overall security incidents and were targeted in 18 percent of all attacks. Additionally, almost 30 percent of all attacks used malicious input data that hackers use to try to control or disrupt the target company’s systems.

Still, manufacturers disclosed a limited number of incidents in 2017, which researchers attributed to underreporting by the industry.

“This could be because the manufacturing sector is not subject to the same obligations to report breaches as industries such as financial services, healthcare and retail,” the authors wrote.

In a 2017 survey of manufacturers, Naperville, Ill.-based accounting and advisory firm Sikich Capital Management LLC found that 63 percent of manufacturers conduct I.T. risk assessments and 37 percent conduct intrusion testing. However, the vast majority — 70 percent — fail to provide their employees with cybersecurity training, according to the survey.

That training becomes especially important since attackers perceive manufacturers as being weak and frequently target the sector, as the IBM report also indicates. In the Sikich survey, only 8.5 percent of respondents indicated they were “very ready” to address cybersecurity.

“It’s one of the most unregulated industries,” Brad Lutgren, a partner in Sikich’s security and compliance practice, wrote in the report. “There hasn’t been as much adoption in manufacturing simply because there isn’t anyone beating them with a stick to say you have to be taking specific security measures.”